SlideShare una empresa de Scribd logo

Maximizing SPDY and SSL Performance (June 2014)

Descargar como PPTX, PDF
Zoompf
Zoompf

Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIME

Software
1 de 56
Maximizing Performance with SPDY & SSL (June 2014) Billy Hoffman billy@zoompf.com @zoompf
What Is SPDY? • “Speedy” • Next Gen Web Protocol – Created by Google in 2009 – Basis of HTTP/2 spec • Designed for speed • Familiar Request/Response model – Largely abstracted away – Much improved plumbing – Extra features
Massive Browser Support
Massive Server Support
Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
HTTP/HTTPS
HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
Mapping To Frames
Breaking To Streams
Multiplexing Streams
HTTP Pipelining Revisited
Additional Features • Server Push! • Header Compression • Body Compression • Better use of TCP connections • Better upgrade approach
Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
SETTING THE STAGE FOR SPDY
SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
Listener on 443 is speaking SSL?
Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
X.509 Cert: Correct Domain?
X.509 Cert: Valid Time Period?
X.509 Cert: Is it Trusted?
X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
ClientHello with Extension 13172
ServerHello with NPN
Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
OPTIMIZING SSL/SPDY
The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow • Revocation
The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
• Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
• Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
SSL False Start
False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
Minimize the Certificate Chain
OCSP Validation causes delays
OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
Heartbleed Ruined The Dream • OCSP doesn’t scale • DoS targets • We can’t do this well
Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
Amazon EC2 • Partnered with Intel • Stop using M1!
Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
“Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
“Does this really matter?”
SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
TOOLS
SSL Labs
SPDYCheck.org
Now on Github, GPL licensed!
SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is fast! (RC-4, AES-128 if supports dedicated instructions)
SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
Free Performance Assessment zoompf.com/free
Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf

Recomendados

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
Zoompf
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation Workshop
Fastly
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
Wolfgang Kandek
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
NGINX, Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
Cloudflare
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 

Recomendados

Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
Zoompf
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
Altitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation WorkshopAltitude San Francisco 2018: HTTP Invalidation Workshop
Altitude San Francisco 2018: HTTP Invalidation Workshop
Fastly
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
Wolfgang Kandek
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
NGINX, Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
Cloudflare
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 
WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
Paul Schreiber
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and Results
NGINX, Inc.
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developers
Carlos Abalde
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
Fastly
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
OVHcloud
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
Carlos Abalde
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress II
Barry Abrahamson
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
PHP Conference Argentina
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Grant Norwood
 
Russia vps
Russia vpsRussia vps
Russia vps
Manisha Rawat
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
Deploy360 Programme (Internet Society)
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
seanwalbran
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
Fastly
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide
WordCamp Sydney
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
Fabian Lange
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
Cloudflare
 
SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
Andreas Bjärlestam
 
SPDY
SPDYSPDY
SPDY
Andreas Bjärlestam
 

Más contenido relacionado

La actualidad más candente

Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
Fastly
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Grant Norwood
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 

La actualidad más candente (20)

WPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPSWPNYC: Moving your site to HTTPS
WPNYC: Moving your site to HTTPS
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and Results
 
Varnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developersVarnish Cache Plus. Random notes for wise web developers
Varnish Cache Plus. Random notes for wise web developers
 
Revisiting HTTP/2
Revisiting HTTP/2Revisiting HTTP/2
Revisiting HTTP/2
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
 
High Performance WordPress II
High Performance WordPress IIHigh Performance WordPress II
High Performance WordPress II
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas BrightonSEO Sep 2015 - HTTPS | Mark Thomas
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
 
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
2013 - Igor Sysoev - NGINx: origen, evolución y futuro - PHP Conference Argen...
 
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
Cluster Fudge: Recipes for WordPress in the Cloud (WordCamp Austin 2014 Speaker)
 
Russia vps
Russia vpsRussia vps
Russia vps
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
WordPress Hosting Survival Guide
WordPress Hosting Survival Guide WordPress Hosting Survival Guide
WordPress Hosting Survival Guide
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
 
SSL for SaaS Providers
SSL for SaaS ProvidersSSL for SaaS Providers
SSL for SaaS Providers
 

Similar a Maximizing SPDY and SSL Performance (June 2014)

SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
Luis Grangeia
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
whj76337
 

Similar a Maximizing SPDY and SSL Performance (June 2014) (20)

SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0SPDY - or maybe HTTP2.0
SPDY - or maybe HTTP2.0
 
SPDY
SPDYSPDY
SPDY
 
HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016HTTPS presentation at Port80 Sydney meetup March 2016
HTTPS presentation at Port80 Sydney meetup March 2016
 
SPDY
SPDYSPDY
SPDY
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocols
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
State of the Web
State of the WebState of the Web
State of the Web
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
How the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPSHow the SSL/TLS protocol works (very briefly) How to use HTTPS
How the SSL/TLS protocol works (very briefly) How to use HTTPS
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
curl and new technologies
curl and new technologiescurl and new technologies
curl and new technologies
 

Último

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 

Último (20)

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 

Maximizing SPDY and SSL Performance (June 2014)

  • 1. Maximizing Performance with SPDY & SSL (June 2014) Billy Hoffman billy@zoompf.com @zoompf
  • 2. What Is SPDY? • “Speedy” • Next Gen Web Protocol – Created by Google in 2009 – Basis of HTTP/2 spec • Designed for speed • Familiar Request/Response model – Largely abstracted away – Much improved plumbing – Extra features
  • 5. Cast of Characters • TCP • HTTP • SSL • X.509 Certificate • Cryptography (asymmetric & symmetric) • SPDY
  • 7. HTTP/SPDY/SSL Sandwich • SPDY encapsulates HTTP requests – Single Multiplexed stream • Transmits contents over SSL channel
  • 12. Additional Features • Server Push! • Header Compression • Body Compression • Better use of TCP connections • Better upgrade approach
  • 13. Today’s Focus • Setting the Stage for SPDY – Can speak SSL with a server – Can create a valid SSL connection – Client and Server agree to use SPDY • Optimizing SPDY – Optimizing SSL – Optimizing SPDY – Avoiding optimizations that hurt SPDY • Tools to help
  • 14. SETTING THE STAGE FOR SPDY
  • 15. SSL Connectivity • Hostname resolves • IP is reachable • Web server is listening on SSL port • Web server understands SSL • Web server knows which site you want – Shared Hosting and SNI
  • 16. Listener on 443 is speaking SSL?
  • 17. Creating a Valid SSL connection • Agreement on crypto algorithms • X.509 certificate is valid
  • 19. X.509 Cert: Valid Time Period?
  • 20. X.509 Cert: Is it Trusted?
  • 21. X.509 Cert: Is it Trusted? • Do I trust the issuer? – If not, was it signed by someone I trust? • Has it been revoked? – CRL lists – Online Certificate Status Protocol (OCSP)
  • 22. Agreeing to Use SPDY • Client tells server it supports SPDY • Server tells client it supports SPDY • Client sends SPDY over SSL • Else, falls back to HTTP over SSL
  • 23. SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 24. Announcing SPDY support in the SSL Handshake Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en + Ext:13172/A LPN + NPN/ALPN + Ext:13172/ALPN
  • 27. Review: Speaking SPDY • Client resolves and connects to SSL port • Client announces SPDY support inside ClientHello • Server announces SPDY support in ServerHello • Client validates X.509 cert, finalized SSL connection • SPDY conversation happens
  • 29. The SSL Tarpits • SSL handshake requires 2 round trips • Certificates can be large • Certificates need to be validated • Keys can be too large • Algorithms can be slow • Revocation
  • 30. The SSL Handshake is Costly! Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 31. Resume SSL Session • Avoid regenerating keys • Avoid unneeded trips • 2 methods Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en
  • 32. • Both sides keep state/cache • Reuse based on id • Widely supported Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en sessionid: 3a8a… Big cache of all ids given out, and associated keys/ciphers Session Identifiers
  • 33. • Client stores “Magic Ticket” • RFC 5077, optional • No IIS support Microsoft Technet: Host TLS/SSL Works http://bit.ly/16Zx0en Encrypted summary of keys/ciphers, signed by server Verifies summary is valid, uses values Session Tickets
  • 35. False Start: Not Gone • “The Failure of False Start” • Chrome still does it! – Desktop and mobile • Any server that supports NPN! (with forward secure) – Any server with SPDY support… – Or SSL + NPN, but only announces HTTP/1.1!
  • 38. OCSP Stapling • Good in theory, bad in practice • Browsers are moving away from OSCP
  • 39. Heartbleed Ruined The Dream • OCSP doesn’t scale • DoS targets • We can’t do this well
  • 40. Oversized Asymmetric Keys • 1024 is fine • 2048 for banks • Anything more is overkill
  • 41. Cipher Order/Choice Matters • RC4 is the best • Unless on a machine with AES- NI – Intel i7, Xeons, some AMD – Not most virtual machines!!! • First match wins http://zombe.es/post/4078724716
  • 42. Amazon EC2 • Partnered with Intel • Stop using M1!
  • 43. Is SSL really helping you? • SSL doesn’t “secure” your website – Prevents eavesdropping, tampering – Not XSS, CSRF, SQL Injection, Unpatched/out- of-date software, RCE, LFI, etc. • Consider: NULL-MD5, NULL-SHA • SSL with no encryption
  • 44. “Does this really matter?” • Seriously? • 1024 more bytes in key? • 2 more kilobytes in the X.509 cert? • Accidently using AES-256? • Really?
  • 45. “Does this really matter?”
  • 46. SPDY Optimization • SPDY only works over SSL • Ensure that all your traffic if over SSL • HTTP 301 direct for http: to https: – Add a cache-control header! • HTTP Strict Transport Security (HSTS) – Like the browser’s cache, but for protocol access. Make (semi) far future – Wide support (>90% of SPDY capable browsers)
  • 47. Avoid These Optimizations • Domain Sharding – Hack to request multiplexing, not needed – Hurts SPDY by spreading requests out • JavaScript CDNs – These are a horrible blight on the web! – http://statichtml.com/2011/google-ajax- libraries-caching.html – https://github.com/h5bp/html5- boilerplate/pull/1327
  • 48. TOOLS
  • 51. Now on Github, GPL licensed!
  • 52. SSL/SPDY Optimization Check List • Website responds over SSL/443 • Website has NPN extension (even without SPDY for False Start) • X.509 certificate is valid • X.509 chain is short • SSL Asymmetric keys are <= 2048 • Cipher is fast! (RC-4, AES-128 if supports dedicated instructions)
  • 53. SSL/SPDY Optimization Check List • SSL session resumption is enabled (both identifiers and tickets) • No SSL compression • Website is using latest version of SPDY • HTTP permanently (301) redirects to HTTPS (including cache header) • HTTPS sends HTTP Strict Transport Security header
  • 54. Great Resources • Ivan Ristic (blog.ivanristic.com) • Adam Langley (www.imperialviolet.org) • Mark Nottingham (www.mnot.net/blog/) • Qualys SSL Labs (ssllabs.com) • SPDYCheck (spdycheck.org)
  • 56. Maximizing Performance with SPDY & SSL Billy Hoffman billy@zoompf.com @zoompf